Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
  • Loading branch information
wraithgar authored Mar 30, 2023
1 parent 829503b commit 01986d1
Show file tree
Hide file tree
Showing 13 changed files with 70 additions and 84 deletions.
18 changes: 12 additions & 6 deletions node_modules/sigstore/dist/ca/format.js
Original file line number Diff line number Diff line change
@@ -1,14 +1,20 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.toCertificateRequest = void 0;
function toCertificateRequest(publicKey, challenge) {
function toCertificateRequest(identityToken, publicKey, challenge) {
return {
publicKey: {
content: publicKey
.export({ type: 'spki', format: 'der' })
.toString('base64'),
credentials: {
oidcIdentityToken: identityToken,
},
publicKeyRequest: {
publicKey: {
algorithm: 'ECDSA',
content: publicKey
.export({ format: 'pem', type: 'spki' })
.toString('ascii'),
},
proofOfPossession: challenge.toString('base64'),
},
signedEmailAddress: challenge.toString('base64'),
};
}
exports.toCertificateRequest = toCertificateRequest;
7 changes: 3 additions & 4 deletions node_modules/sigstore/dist/ca/index.js
Original file line number Diff line number Diff line change
Expand Up @@ -3,17 +3,16 @@ Object.defineProperty(exports, "__esModule", { value: true });
exports.CAClient = void 0;
const client_1 = require("../client");
const error_1 = require("../error");
const util_1 = require("../util");
const format_1 = require("./format");
class CAClient {
constructor(options) {
this.fulcio = new client_1.Fulcio({ baseURL: options.fulcioBaseURL });
}
async createSigningCertificate(identityToken, publicKey, challenge) {
const request = (0, format_1.toCertificateRequest)(publicKey, challenge);
const request = (0, format_1.toCertificateRequest)(identityToken, publicKey, challenge);
try {
const certificate = await this.fulcio.createSigningCertificate(identityToken, request);
return util_1.pem.split(certificate);
const certificate = await this.fulcio.createSigningCertificate(request);
return certificate.signedCertificateEmbeddedSct.chain.certificates;
}
catch (err) {
throw new error_1.InternalError('error creating signing certificate', err);
Expand Down
1 change: 1 addition & 0 deletions node_modules/sigstore/dist/cli/index.js
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,7 @@ function printUsage() {
const signOptions = {
oidcClientID: 'sigstore',
oidcIssuer: 'https://oauth2.sigstore.dev/auth',
oidcRedirectURL: process.env.OIDC_REDIRECT_URL,
rekorURL: index_1.sigstore.DEFAULT_REKOR_URL,
};
async function sign(artifactPath) {
Expand Down
8 changes: 3 additions & 5 deletions node_modules/sigstore/dist/client/fulcio.js
Original file line number Diff line number Diff line change
Expand Up @@ -31,22 +31,20 @@ class Fulcio {
retry: { retries: 2 },
timeout: 5000,
headers: {
Accept: 'application/pem-certificate-chain',
'Content-Type': 'application/json',
'User-Agent': util_1.ua.getUserAgent(),
},
});
this.baseUrl = options.baseURL;
}
async createSigningCertificate(idToken, request) {
const url = `${this.baseUrl}/api/v1/signingCert`;
async createSigningCertificate(request) {
const url = `${this.baseUrl}/api/v2/signingCert`;
const response = await this.fetch(url, {
method: 'POST',
headers: { Authorization: `Bearer ${idToken}` },
body: JSON.stringify(request),
});
(0, error_1.checkStatus)(response);
const data = await response.text();
const data = await response.json();
return data;
}
}
Expand Down
9 changes: 7 additions & 2 deletions node_modules/sigstore/dist/identity/index.js
Original file line number Diff line number Diff line change
Expand Up @@ -27,8 +27,13 @@ const oauth_1 = require("./oauth");
* @param clientSecret Client secret for the issuer (optional)
* @returns {Provider}
*/
function oauthProvider(issuer, clientID, clientSecret) {
return new oauth_1.OAuthProvider(new issuer_1.Issuer(issuer), clientID, clientSecret);
function oauthProvider(options) {
return new oauth_1.OAuthProvider({
issuer: new issuer_1.Issuer(options.issuer),
clientID: options.clientID,
clientSecret: options.clientSecret,
redirectURL: options.redirectURL,
});
}
/**
* ciContextProvider returns a new Provider instance which attempts to retrieve
Expand Down
27 changes: 18 additions & 9 deletions node_modules/sigstore/dist/identity/oauth.js
Original file line number Diff line number Diff line change
Expand Up @@ -26,10 +26,11 @@ const make_fetch_happen_1 = __importDefault(require("make-fetch-happen"));
const url_1 = require("url");
const util_1 = require("../util");
class OAuthProvider {
constructor(issuer, clientID, clientSecret) {
this.clientID = clientID;
this.clientSecret = clientSecret || '';
this.issuer = issuer;
constructor(options) {
this.clientID = options.clientID;
this.clientSecret = options.clientSecret || '';
this.issuer = options.issuer;
this.redirectURI = options.redirectURL;
this.codeVerifier = generateRandomString(32);
this.state = generateRandomString(16);
}
Expand All @@ -43,9 +44,20 @@ class OAuthProvider {
async initiateAuthRequest() {
const server = http_1.default.createServer();
const sockets = new Set();
// Start server and wait till it is listening
// Start server and wait till it is listening. If a redirect URL was
// provided, use that. Otherwise, use a random port and construct the
// redirect URL.
await new Promise((resolve) => {
server.listen(0, resolve);
if (this.redirectURI) {
const url = new url_1.URL(this.redirectURI);
server.listen(Number(url.port), url.hostname, resolve);
}
else {
server.listen(0, resolve);
// Get port the server is listening on and construct the server URL
const port = server.address().port;
this.redirectURI = `http://localhost:${port}`;
}
});
// Keep track of connections to the server so we can force a shutdown
server.on('connection', (socket) => {
Expand All @@ -54,9 +66,6 @@ class OAuthProvider {
sockets.delete(socket);
});
});
// Get port the server is listening on and construct the server URL
const port = server.address().port;
this.redirectURI = `http://localhost:${port}`;
const result = new Promise((resolve, reject) => {
// Set-up handler for post-auth redirect
server.on('request', (req, res) => {
Expand Down
7 changes: 6 additions & 1 deletion node_modules/sigstore/dist/sigstore.js
Original file line number Diff line number Diff line change
Expand Up @@ -115,7 +115,12 @@ function configureIdentityProviders(options) {
else {
idps.push(identity_1.default.ciContextProvider());
if (options.oidcIssuer && options.oidcClientID) {
idps.push(identity_1.default.oauthProvider(options.oidcIssuer, options.oidcClientID, options.oidcClientSecret));
idps.push(identity_1.default.oauthProvider({
issuer: options.oidcIssuer,
clientID: options.oidcClientID,
clientSecret: options.oidcClientSecret,
redirectURL: options.oidcRedirectURL,
}));
}
}
return idps;
Expand Down
23 changes: 1 addition & 22 deletions node_modules/sigstore/dist/util/pem.js
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.fromDER = exports.toDER = exports.split = void 0;
exports.fromDER = exports.toDER = void 0;
/*
Copyright 2022 The Sigstore Authors.
Expand All @@ -18,27 +18,6 @@ limitations under the License.
*/
const PEM_HEADER = /-----BEGIN (.*)-----/;
const PEM_FOOTER = /-----END (.*)-----/;
// Given a set of PEM-encoded certificates bundled in a single string, returns
// an array of certificates. Standard PEM encoding dictates that each certificate
// should have a trailing newline after the footer.
function split(certificate) {
const certs = [];
let cert = [];
certificate.split('\n').forEach((line) => {
line.includes;
if (line.match(PEM_HEADER)) {
cert = [];
}
if (line.length > 0) {
cert.push(line);
}
if (line.match(PEM_FOOTER)) {
certs.push(cert.join('\n').concat('\n'));
}
});
return certs;
}
exports.split = split;
function toDER(certificate) {
let der = '';
certificate.split('\n').forEach((line) => {
Expand Down
2 changes: 1 addition & 1 deletion node_modules/sigstore/dist/util/stream.js
Original file line number Diff line number Diff line change
Expand Up @@ -112,5 +112,5 @@ class ByteStream {
this.view = newView;
}
}
exports.ByteStream = ByteStream;
ByteStream.BLOCK_SIZE = 1024;
exports.ByteStream = ByteStream;
31 changes: 7 additions & 24 deletions node_modules/sigstore/dist/x509/asn1/obj.js
Original file line number Diff line number Diff line change
Expand Up @@ -22,28 +22,15 @@ const length_1 = require("./length");
const parse_1 = require("./parse");
const tag_1 = require("./tag");
class ASN1Obj {
constructor(tag, headerLength, buf, subs) {
constructor(tag, value, subs) {
this.tag = tag;
this.headerLength = headerLength;
this.buf = buf;
this.value = value;
this.subs = subs;
}
// Constructs an ASN.1 object from a Buffer of DER-encoded bytes.
static parseBuffer(buf) {
return parseStream(new stream_1.ByteStream(buf));
}
// Returns the raw bytes of the ASN.1 object's value. For constructed objects,
// this is the concatenation of the raw bytes of the values of its children.
// For primitive objects, this is the raw bytes of the object's value.
// Use the various to* methods to parse the value into a specific type.
get value() {
return this.buf.subarray(this.headerLength);
}
// Returns the raw bytes of the entire ASN.1 object (including tag, length,
// and value)
get raw() {
return this.buf;
}
toDER() {
const valueStream = new stream_1.ByteStream();
if (this.subs.length > 0) {
Expand Down Expand Up @@ -114,13 +101,11 @@ exports.ASN1Obj = ASN1Obj;
/////////////////////////////////////////////////////////////////////////////
// Internal stream parsing functions
function parseStream(stream) {
// Capture current stream position so we know where this object starts
const startPos = stream.position;
// Parse tag and length from stream
// Parse tag, length, and value from stream
const tag = new tag_1.ASN1Tag(stream.getUint8());
const len = (0, length_1.decodeLength)(stream);
// Calculate length of header (tag + length)
const header = stream.position - startPos;
const value = stream.slice(stream.position, len);
const start = stream.position;
let subs = [];
// If the object is constructed, parse its children. Sometimes, children
// are embedded in OCTESTRING objects, so we need to check those
Expand All @@ -140,11 +125,9 @@ function parseStream(stream) {
}
// If there are no children, move stream cursor to the end of the object
if (subs.length === 0) {
stream.seek(startPos + header + len);
stream.seek(start + len);
}
// Capture the raw bytes of the object (including tag, length, and value)
const buf = stream.slice(startPos, header + len);
return new ASN1Obj(tag, header, buf, subs);
return new ASN1Obj(tag, value, subs);
}
function collectSubs(stream, len) {
// Calculate end of object content
Expand Down
11 changes: 6 additions & 5 deletions node_modules/sigstore/dist/x509/cert.js
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ class x509Certificate {
return this.subjectObj.value;
}
get publicKey() {
return this.subjectPublicKeyInfoObj.raw;
return this.subjectPublicKeyInfoObj.toDER();
}
get signatureAlgorithm() {
const oid = this.signatureAlgorithmObj.subs[0].toOID();
Expand Down Expand Up @@ -115,13 +115,13 @@ class x509Certificate {
// Use the issuer's public key if provided, otherwise use the subject's
const publicKey = issuerCertificate?.publicKey || this.publicKey;
const key = util_1.crypto.createPublicKey(publicKey);
return util_1.crypto.verifyBlob(this.tbsCertificate.raw, key, this.signatureValue, this.signatureAlgorithm);
return util_1.crypto.verifyBlob(this.tbsCertificate.toDER(), key, this.signatureValue, this.signatureAlgorithm);
}
validForDate(date) {
return this.notBefore <= date && date <= this.notAfter;
}
equals(other) {
return this.root.raw.equals(other.root.raw);
return this.root.toDER().equals(other.root.toDER());
}
verifySCTs(issuer, logs) {
let extSCT;
Expand Down Expand Up @@ -167,8 +167,9 @@ class x509Certificate {
}
// Creates a copy of the certificate with a new buffer
clone() {
const clone = Buffer.alloc(this.root.raw.length);
this.root.raw.copy(clone);
const der = this.root.toDER();
const clone = Buffer.alloc(der.length);
der.copy(clone);
return x509Certificate.parse(clone);
}
findExtension(oid) {
Expand Down
4 changes: 2 additions & 2 deletions node_modules/sigstore/package.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "sigstore",
"version": "1.1.1",
"version": "1.2.0",
"description": "code-signing for npm packages",
"main": "dist/index.js",
"types": "dist/index.d.ts",
Expand Down Expand Up @@ -51,7 +51,7 @@
"nock": "^13.2.4",
"prettier": "^2.6.2",
"ts-jest": "^29.0.5",
"typescript": "^4.7.2"
"typescript": "^5.0.2"
},
"dependencies": {
"@sigstore/protobuf-specs": "^0.1.0",
Expand Down
6 changes: 3 additions & 3 deletions package-lock.json
Original file line number Diff line number Diff line change
Expand Up @@ -11174,9 +11174,9 @@
"inBundle": true
},
"node_modules/sigstore": {
"version": "1.1.1",
"resolved": "https://registry.npmjs.org/sigstore/-/sigstore-1.1.1.tgz",
"integrity": "sha512-4hR3tPP1y59YWlaoAgAWFVZ7srTjNWOrrpkQXWu05qP0BvwFYyt3K3l848+IHo+mKhkOzGcNDf7ktASXLEPC+A==",
"version": "1.2.0",
"resolved": "https://registry.npmjs.org/sigstore/-/sigstore-1.2.0.tgz",
"integrity": "sha512-Fr9+W1nkBSIZCkJQR7jDn/zI0UXNsVpp+7mDQkCnZOIxG9p6yNXBx9xntHsfUyYHE55XDkkVV3+rYbrkzAeesA==",
"inBundle": true,
"dependencies": {
"@sigstore/protobuf-specs": "^0.1.0",
Expand Down

0 comments on commit 01986d1

Please sign in to comment.